c85e0d5578dfbb33ff502091ec9f3f81 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

c85e0d5578dfbb33ff502091ec9f3f81
Size

4.7MB
MD5

c85e0d5578dfbb33ff502091ec9f3f81
SHA1

60b3f2678cd4bb2427889f7f1c195ce72ff2f831
SHA256

99c13659be0c0b6797a89c986a04c236db12ce5820cff1377d74977c6c729761
SHA512

2a6c9e366a405f43cc15d36cd2b90ff808df7a479c50f2eb38c7e0c06aefe9c187ac1f2af556becf2966169a9e0e51462a73b2ca80b2e9c3b2636b86aa3ad892
SSDEEP

98304:/gh3TStIFQh9feAiIcsWZZf42QJ1dmGe3nO6AD6GHIQFMVS3S:/gVTilhZ5rWZZQTQf3nO56GN62

Score

7^/10

vmprotect

Malware Config

Signatures

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

resource	yara_rule
sample	vmprotect

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
c85e0d5578dfbb33ff502091ec9f3f81

Files

c85e0d5578dfbb33ff502091ec9f3f81
.exe windows:5 windows x86 arch:x86

665994cfb8f1f7f1f4001fa79c1e0918

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

GetVersionExA
VirtualQuery
LocalAlloc
LocalFree
GetModuleFileNameW
GetProcessAffinityMask
SetProcessAffinityMask
SetThreadAffinityMask
Sleep
ExitProcess
FreeLibrary
LoadLibraryA
GetModuleHandleA
GetProcAddress

user32

wsprintfA
GetProcessWindowStation
GetProcessWindowStation
GetUserObjectInformationW

advapi32

RegisterServiceCtrlHandlerA

msvcrt

fclose

wtsapi32

WTSSendMessageW

Sections

.text
Size: - Virtual size: 22KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: - Virtual size: 3KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.vmp0
Size: - Virtual size: 2.8MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.vmp1
Size: 4.7MB - Virtual size: 4.7MB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ